Integrations

Okta Integration Guide

Introduction

Okta allows you to provide secure identity management and single sign-on to any application, whether in the cloud, on-premises or on a mobile device for your employees, partners and customers with Okta.

With Sapling’s integration with Okta, you can:

  1. Launch Sapling from Okta's single sign-on (SSO) portal
  2. Sign into Sapling using Okta credentials / authentication
  3. Automatically provision new hire accounts in Okta 

This guide provides a walkthrough on how Sapling Admins can enable the Okta integration and is split into two sections:

Setting up Okta for Auth Services Only (steps #1 - #4) and setting up Okta for Auth + Provisioning Services (step #5).

#1. Add Sapling to your Applications in Okta

Login to Okta and go to the "Applications" tab. Then select "Add Application."


Search for "Sapling" and click "Add."


There will be two Sapling Applications in Okta, which are used for different domains. Please ensure you choose the correct domain structure for your Sapling account (either saplingapp.io or saplinghr.com).

#2. Configure your company’s domain

Under "General Settings," fill in the "Subdomain" for your company. The Subdomain is the first part of your Sapling URL. 

For example, if your Sapling login URL is "https://rocketship.saplingapp.io", then the subdomain would simply be "rocketship."

Once you fill in your Subdomain, click "Next".


#3. Assign to People in your organization

On the "Assign to People" tab, you have the option to assign the app to employees who are already in Okta. We recommend you assign Sapling to your entire organization.

Once people have been assigned, click "Next" and the set-up will be completed.


#4. Add the SSO URL to Sapling

Once you have added Sapling in your Okta dashboard, you’ll we need to add the SSO URL and the certificate to  Sapling's integration page.


By clicking ‘View Set-up Instructions’, you’ll be taken to the final step of the set-up process.

On this page, you will find your:

  • Identity Provider SSO url
  • Identity Provider Certificate


Head back to Sapling and enter these into your SAML Authentication.


Enter the SAML information into Sapling by pasting the SSO Login URL (SAML 2.0 Endpoint (HTTP)) and the x.509 Certificate information from Okta. 


#5. Enabling Auto-Provisioning

Sapling can also provision the new hires Okta account. 

The workflow with this is: 

  1. New Hire data imported into Sapling
  2. People Operations starts the new hire onboarding in Sapling
  3. Sapling provisions the initial account in Okta (sends attributes to Okta)
  4. IT sets-up up all connected systems of new hire accounts (including gsuite, slack, jira/confluence, etc)
  5. IT triggers email invitation to new hire for Okta

When a Sapling Admin completes the onboarding flow, the new hire account is set-up by Sapling with the following attributes:

  • First Name
  • Last Name
  • Personal Email
  • Company Email
  • Job Title (coming soon)
  • Department
  • Location
  • Manager

To set-up provisioning, you will need to add an Okta API Token to Sapling and select Provision New Hires directly from Sapling.

This API section is available in Okta under the Security section.

Create a new API Key with the any name (i.e. Sapling HR) and provide access to Manage Users.


You will then be granted the API Token to be added to Sapling.

Learn more about Okta User Provisioning here

Confirmation Response Example


Still no luck? We are here to help!

People Operations can be complex - contact our customer success team to get in touch with you.

Contact Us